infoTECH Feature

September 04, 2015

Brains vs. Brawn - Cracking the Seventh Layer

You are a well-respected CTO of a major hosting provider. You recently invested in and installed the latest network security solutions to your data center and are looking forward to getting a full night’s sleep, knowing you have taken the proper measures to secure your company’s data. Then the phone rings and your security team relays the bad news: you have suffered a DDoS attack. Not only did your website go down, but it went totally unnoticed until several back-end systems were almost completely unresponsive. You ask yourself, “How this could possibly have happened, given the network security landscape our team has implemented?”

Welcome to the elusive, difficult-to-spot and even more difficult to defend application layer denial-of-service (DDoS) attack, sometimes referred to as a “Layer 7” DDoS attack. Because your website and the supporting systems, applications, etc., are exposed to the outside world, they are ripe targets for more sophisticated attacks designed to either exploit uncorrected flaws or the way the various systems work. As application development continues to move to the Cloud, this attack will continue to be difficult to defend against.

How can security teams stay ahead of the onslaught that continues to assault organizations regardless of size or industry type?

The Brawn vs. The Brains

When the news reports on DDoS attacks, it is generally referring to large-scale network attacks that are focused on Layer 3 and 4 of the network stack. However, from a mitigation point of view, network layer attacks are not sophisticated. The ability to mitigate this type of attack always comes down to a simple question: who has more network capacity, the attacker or the mitigation service?

On the other hand, the application/Layer 7 attack is a completely different animal. When defending against these stealthy and complex methods, success does not depend on how big you are, but rather how smart your security technology is and how well it can be utilized.

The Invisible Attack

Successful mitigation of the Layer 7 DDoS attack relies on the ability to accurately profile incoming traffic – to distinguish between humans, human-like bots and hijacked Web browsers and connected devices, such as home routers. As a result, the Layer 7 mitigation process is often much more complex than the attack itself. This complexity, combined with the fact that—if done right—the attack will remain transparent, contributes to the lack of headlines on this subject. The security industry in general prefers to talk in terms of network capacity, which of course says nothing about your resilience against application layer attacks.

While network attacks over-exercise specific functions or features of a website with the intention of disabling them, an application-layer attack is different because many vulnerabilities that exist in the proprietary code of Web applications are unknown to existing security defense solutions.

As mentioned earlier, the Cloud and pervasive cloud-based platforms that are becoming the new normal in application development have increased the attack surface for many organizations. In order to defend against the ever-changing DDoS landscape, developers need to integrate security measures while in the development phase of the application itself.

To assist in defending against Web threats, the Open Web Application Security (News - Alert) Project (OWASP) was created. It releases some of the most critical risks facing organizations in its “Top Ten Most Critical Web Application Security Risks.”

While the report outlines ten of the most prevalent application-layer risks, this information is only released every three years. In the meantime, new and more sophisticated attack methods are being perpetrated at an alarming rate. Until developers ingrain security solutions into their products, it will be up to security teams to be ever vigilant by implementing solutions that are designed to identify anomalous behavior in the network upon ingress.

Another Wrinkle to Consider – DDoS as a Distraction

Web, system and network admins need to be vigilant about Layer-7 DDoS attacks, however, the application layer can be targeted in an even more sinister way.  As we have witnessed, hackers are becoming smarter. It was reported earlier this year that attackers are employing methods that are short in duration but are large in traffic volume. Hackers employ these methods for a variety of reasons. Shopping (eCommerce) websites, for example, are particularly prone to this type of attack, in which paying customers are blocked at the last minute, forcing them to abandon their purchase.

This type of attack can also be used to identify the vulnerability of a network’s resources, such as how much memory or bandwidth there is, in order to determine the amount of traffic that will be needed to flood the network. Once determined, the hackers will use a volumetric attack to distract IT personnel while accessing the application layer from the back end. This type of attack typically will have been preceded by the injection of malware or the identification of a security flaw that allows the attacker to gain a measure of control.

The challenge for network personnel is understanding whether or not the traffic is legitimate. In other words, what is a bot and what is a customer? Advanced security tools will be needed to execute this type of protection.

Best  Practices to Protect Critical Applications

If you are a software developer or cyber security professional it is vital that the following best practices be followed, at a minimum.

  • Educate yourself on the threats – Become familiar with Web application security risks that have already been identified. The OWASP Top-10 Web application security risks list is a great start.   
  • Review your organization’s policies as they relate to content and security – Is there a valid plan for protecting company data assets from DDoS attacks? Is it current? Are you meeting compliance regulations? Are all company divisions involved? Remember, representation from business, IT and security should all be a part of the software development life cycle.
  • Speak with a security expert – Gain insight from the experts in the field. Whether it’s an analyst firm or a solution provider, look to the professional to learn what best practices are recommended in today’s threat environment and develop a mitigation plan that accounts for all threats, including the hard-to-spot Layer-7 DDoS attack.
  • Install equipment that secures the network from within– This needs appliances that are custom built to detect and mitigate Application Layer-7 attacks intelligently and quickly. Such protection is available as a feature of other network /security appliances, but complete protection requires custom build anti-DDoS appliances.

In summary, application layer attacks are here to stay. They will continue to grow in frequency and complexity. It may not be economical to develop new applications from ground up; therefore, secure application development policies need to be complemented by dedicated security appliances for complete “peace of mind” protection.

Rishi Agarwal

About the Author:Rishi Agarwal is Chief Evangelist at NSFOCUS, Inc. He has 12+ years’ experience in Product Marketing, Strategy, Business Development and Product Management. He has broad domain expertise in Network Security, Compute and Storage. Prior to NSFocus, he was a Senior Manager at Arbor Networks (News - Alert). Additionally, he has worked at leading technology vendors such as Microsoft, Intel and SanDisk.




Edited by Maurice Nagle
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers